General
-
Target
63a7dc43ca73d600155d739c258209d9294b88897d88258b97ef2a9178a79363
-
Size
174KB
-
Sample
221113-psby6aec9s
-
MD5
14e2f072aa29e1905de1af477a1455e3
-
SHA1
a9d9dc5b995483d1525e1d9ab2b0cd1ca2824b60
-
SHA256
63a7dc43ca73d600155d739c258209d9294b88897d88258b97ef2a9178a79363
-
SHA512
0a61f6ce41c1cd138af2d3ff0e081f0f6100572d2f7381a27ef081b2a2ee662f30b3f8409132a82dafd4d57653e5504f0ae6962dacccd6453db72a160b02aab2
-
SSDEEP
3072:aM42HKqLNpRIK/zRCiC8PseoCZneH+UwE6njDKA6OYJg0fm:bdLNpRIaVC8PsDCZni+UD6njDKA6OYx
Static task
static1
Behavioral task
behavioral1
Sample
63a7dc43ca73d600155d739c258209d9294b88897d88258b97ef2a9178a79363.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
redline
Google2
167.235.71.14:20469
-
auth_value
fb274d9691235ba015830da570a13578
Targets
-
-
Target
63a7dc43ca73d600155d739c258209d9294b88897d88258b97ef2a9178a79363
-
Size
174KB
-
MD5
14e2f072aa29e1905de1af477a1455e3
-
SHA1
a9d9dc5b995483d1525e1d9ab2b0cd1ca2824b60
-
SHA256
63a7dc43ca73d600155d739c258209d9294b88897d88258b97ef2a9178a79363
-
SHA512
0a61f6ce41c1cd138af2d3ff0e081f0f6100572d2f7381a27ef081b2a2ee662f30b3f8409132a82dafd4d57653e5504f0ae6962dacccd6453db72a160b02aab2
-
SSDEEP
3072:aM42HKqLNpRIK/zRCiC8PseoCZneH+UwE6njDKA6OYJg0fm:bdLNpRIaVC8PsDCZni+UD6njDKA6OYx
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-